You are here

Can Malware (Spectre, Meltdown) Spy After Reboot?

In regard to last week's article on the Spectre and Meltdown CPU exploits, which affects 100% of all computers made since 1995, user 'rep' had the following question to ask:

" Dear Dennis,

[Being that this is a hardware exploit], am I right in thinking that any passwords, etc, which are stored in the CPU's memory are lost when the computer is shut down? If so, could I simply shut off the computer and reload it every time I want to use Internet banking and would that keep me safe from these exploits? "

My response:

I posted my original response in the comments section of Friday's article, but I believe this is an important question which should have its own post.

The quick and short answer is that a virus / malware / exploit does not live in the computer's memory all of the time - it is stored on the hard drive and then reloaded every time the computer is turned on. So, shutting off your computer (should you be infected) will not do anything - the virus / malware / exploit will become active again once the operating system is loaded. This is true every time you turn your computer on UNTIL the virus / malware / exploit has been removed and the system is patched. That said, some exploits are incredibly stealthy and may run undetected for months or even years.

'Rep' wrote in again in the comments section, asking another question:

" I assumed the system was not infected - however, am I correct in thinking that the passwords, etc, which are stored in the CPU's memory (when I log in to my bank) are lost when the computer is powered down - as is the case with RAM memory? "

My response:

Yes and no. The CPU does not have memory, except what is used for caching. The CPU is the brain of the computer, while RAM (random access memory, also known as "primary storage") - utilizes data that is loaded off of the hard drive (secondary storage). The CPU processes data stored in RAM.

Yes it is true that RAM is volatile and is wiped clean when the system is turned off. That said, if you have "fast boot" enabled on the system, whatever you had in RAM previously gets stored onto the hard drive during a shut down. The data is then reloaded back into RAM during boot up - as if the system was never shut off in the first place. So technically speaking here, the contents of RAM are not lost.

In either case, the fact that RAM is wiped clean or is not wiped clean during a shutdown is a moot point in regards to the Meltdown and Spectre - and any other exploit for that matter - because it has nothing to do with the way exploits work.

If you are infected with a virus / malware / exploit - whether you know you're infected or not - whatever you do on the computer can be recorded and sent back to cyber criminals. So in this case it does not matter if you shut off the computer and turn it on again to reset your primary memory (RAM). So in this case, whatever you do while you're banking - entering in your password, looking at account numbers, etc, can be recorded.

The exploits in this case are hardware-based on the CPU and enabled with malware / viruses (software) which are (presumably) downloaded from the Internet; the malware is then stored on the hard drive, which gets reloaded every time your operating system / PC is turned on. So as you can see, it does not matter if the system is shut down and memory is wiped because the system will reload the exploit the next boot until it has been removed and your system is patched.

I hope that helps.

Got a Computer Question or Problem? Ask Dennis!

I need more computer questions. If you have a computer question -- or even a
computer problem that needs fixing --
please email me with your question
so that I can write more articles like this one. I can't promise I'll respond to
all the messages I receive (depending on the volume), but I'll do my best.

About the author: Dennis Faas is the owner and operator of Infopackets.com.
With over 30 years of computing experience, Dennis' areas of expertise are a
broad range and include PC hardware, Microsoft Windows, Linux, network
administration, and virtualization. Dennis holds a Bachelors degree in Computer
Science (1999) and has authored 6 books on the topics of MS Windows and PC
Security. If you like the advice you received on this page, please up-vote /
Like this page and share it with friends. For technical support inquiries,
Dennis can be reached via Live chat online this site using the Zopim Chat
service (currently located at the bottom left of the screen); optionally, you
can contact Dennis through the website
contact form.

Comments

I must say I didn't know about the fast boot thing. Now I'm just wondering how these two new hardware exploits could get installed onto a Linux system, which is supposed to be less vulnerable to viruses and malware than Windows.

As the original article states, any device with a CPU created after 1995 is susceptible, including: Mac OS, Linux, Windows, Tablets, Smartphones, etc! No electronic device with a CPU is immune which also means no operating system is immune until patched.

The exploit has been proof of concept in test labs, though Intel claims (as of January 8, 2018 at CES) that there are "no known exploits" in the wild.

However, being able to prove that no exploits are in the wild would be next to impossible considering this type of exploit is ultra stealthy because it operates at the hardware level and would go undetected. Furthermore, antivirus and antimalware cannot detect this exploit (because it operates at the hardware level and is a design flaw of the CPU).

Patches are still being developed by Intel and AMD; Intel claims to have a patch to fix "90%" of all Intel CPUs that were made in the last five years, with the rest of the chips (dating back to 1995) by the end of the month.

Of course this does not automatically mean all CPUs (AMD, ARM, etc) will also be patched but I'm sure whatever fix becomes available will be shared with the community.